Anyone have any details on Apple Private Relay?

I’m not clear if it’s for all traffic, or just Safari?

And I can’t imagine Apple just built-out some massive capacity of their own for this? Maybe underneath the hood they’re partnering with Cloudflare for WARP or something similar?

And I’m guessing it would go ‘around’ any local pi-hole installations?

But then again, I’m mostly just guessing and could be completely wrong. :slight_smile:

Anyone else here have any insights?


Lots of insights to be had on the web. The quote in this article should answer your questions. :slightly_smiling_face:

1 Like

I just came here straight after looking at the MacStories overview of the Fast Company interview.

It’s just Safari, the clever idea is that your request is essentially split in 2 so no one knows who sent the request, and Apple is working with un-named third parties.

And another clever bit is it doesn’t let you change your country, so media companies won’t be too unhappy.


Exactly the type of info I was looking for, thanks!!!

I’m very interested to see how this works with TLS interception, how it plays with DNS, how difficult it will be to detect and block, and how Safari will handle this being blocked.

ok, back to firefox then :slight_smile:

But if they don’t have your location (is address) how could TV Companies geoblock you?

If Apple is acting as a proxy then they can use a source IP that corresponds to your country.


They are attributing to you an IP that matches your region of origin.

That would mean that they would have to have IP addresses (and enough bandwidth) in every country in the world. Wow! That’s a heck of a network.

1 Like

They can (and certainly will) aggregate requests with just a handful of IPs in each country, the way current VPNs do.

1 Like

And also I think they mostly leverage 3rd party networks, hence the splitting of the stream. Give someone half of an encrypted stream, and no matter what they won’t be able to reconstitute the request.

So Apple itself would need only very few access (or egress) points and they would be able to pull this off without any issues

1 Like

What do you mean by splitting of the stream?

an oversimplicifaction of the fact that the request is split = encrypt, ip removed from encrypted package, sent to 3rd party that adds artificial ip and forwards to destination

1 Like

And we all know what happens if you cross the streams


There are multiple hops, but I don’t think it’s “split”. It still has to be routed. Apple has your IP, anonymizes it (think NAT) forwards it along to a third party to decrypt the payload/page request.

1 Like

that’s why the “oversimplification” part :slight_smile:

1 Like

If you use a VPN, is safari still seeing your host IP address or the VPN’s?

If you use a “normal” VPN then it simply shows up to your computer as a separate network interface and route. Servers will see either your IP address as the source, or (more commonly) a NATed one.

This is my understanding as well.